[
https://issues.apache.org/jira/browse/FLINK-5850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15889227#comment-15889227
]
Eron Wright edited comment on FLINK-5850 at 3/1/17 12:53 AM:
--------------------------------------------------------------
Something to keep in mind is that the web frontend is proxied in the YARN and
Mesos deployment modes.
Here's some Mesos specifics:
The DCOS distribution of Mesos uses OpenID Connect and I think the "admin
router" proxy will pass the token to the webapp.
Here's some YARN specifics:
When you click on the 'tracking URL' for a running YARN application, the
browser opens to the Flink WebUI indirectly via YARN's RM Proxy. The proxy
doesn't pass thru arbitrary headers nor the `Authorization` header (see
FLINK-4637). The webapp (in this case, Flink) should use
`org.apache.hadoop.yarn.server.webproxy.amfilter.AmIpFilter` to delegate
authentication to the RM proxy. The filter does make available the username
for app-specific authorization logic.
Some references:
[https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
[https://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/HttpAuthentication.html]
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L71]
[https://github.com/apache/hadoop/tree/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter]
was (Author: eronwright):
Something to keep in mind is that the web frontend is proxied in the YARN and
Mesos deployment modes.
Here's some Mesos specifics:
The DCOS distribution of Mesos uses OpenID Connect and I think the "admin
router" proxy will pass the token to the webapp.
Here's some YARN specifics:
When you click on the 'tracking URL' for a running YARN application, the
browser opens to the Flink WebUI indirectly via YARN's RM Proxy. The proxy
doesn't pass thru arbitrary headers nor the `Authorization` header. The webapp
(in this case, Flink) should use
`org.apache.hadoop.yarn.server.webproxy.amfilter.AmIpFilter` to delegate
authentication to the RM proxy. The filter does make available the username
for app-specific authorization logic.
Some references:
[https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html]
[https://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/HttpAuthentication.html]
[https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L71]
[https://github.com/apache/hadoop/tree/release-2.7.1/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter]
> implement OAuth 2.0 check in Web Backend API
> --------------------------------------------
>
> Key: FLINK-5850
> URL: https://issues.apache.org/jira/browse/FLINK-5850
> Project: Flink
> Issue Type: Improvement
> Components: Web Client
> Affects Versions: 1.2.0, 1.1.4
> Reporter: Fabian Wollert
>
> currently the web frontend is open to public. it would be helpful for us to
> have the frontend and the backend secured by OAuth 2.0.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
